Database Reference
In-Depth Information
Filter commands
Search, of course, is included as a filter command as it results in a smaller data set. The
other filter commands take the results from a search and then further reduce them based on
the commands you use:
Command What it Does
This is the most important command Splunk has. It is the default command as well, so there is no need for
you to type it in the search box. However, if you do another search after one or more pipes, you do need to
include the word search in the command. We'll learn more about
search
in the section
How to perform
simple searches
.
search
This command takes an expression, such as
where monthly_sales > avg_mon_sales
, and evaluates it. If it
is
TRUE
, it is kept in the search results.
where
This command only keeps the first x results for each search.
dedup source
returns only the first result for
each source. Building on this,
dedup 3 source
returns only the first three results for each source.
dedup
These commands look for a specified number of searched terms, counting from the top or bottom of the list
of events. The
head
command returns the first x results.
head 10
returns the first ten results. The
tail
command returns the last x results.
Tail 10
returns the last ten results.
head/tail
